Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 07 Sep 2008 17:31:51 +0200
From:      "Olli Hauer" <ohauer@gmx.de>
To:        Yar Tikhiy <yar@comp.chem.msu.su>, freebsd-pf@freebsd.org
Subject:   Re: pf creating states by default now?
Message-ID:  <20080907153151.310630@gmx.net>
In-Reply-To: <A676B431-7DBD-49BA-AE4C-54786FB4833D@comp.chem.msu.su>
References:  <A676B431-7DBD-49BA-AE4C-54786FB4833D@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Hi all,
> 
> After upgrading a production machine from 6.x to 7.x,
> I noticed that pf would create states from rules without
> "keep state".  IMSMR, it hadn't happened before, and
> the pf.conf(5) manpage still says one has to specify
> "keep state" explicitly for pf to create states.
> 
> Just examined this issue more closely on a CURRENT machine.
> If I load the following simple pf.conf file:
> 
> > set skip on lo0
> > block return all
> > pass out all
> > pass in inet proto icmp all icmp-type echoreq
> > pass in inet proto tcp from any to any port 22
> 
> 
> then I get these actual rules as shown by "pfctl -s rules":
> 
> > block return all
> > pass out all flags S/SA keep state
> > pass in inet proto icmp all icmp-type echoreq keep state
> > pass in inet proto tcp from any to any port = ssh flags S/SA keep  
> > state
> 
> 
> Looks like pfctl or pf itself added stateful semantics to my pf.conf
> that weren't there initially.  Is this effect intended and, if so, how
> can I tell pf not to create states from certain rules?
> 
> Thanks!  And excuse me if I'm just missing something.
> 
> Yar
> 

Yes, it is not in man pf.conf(5) but in the Rel Notes http://www.freebsd.org/releases/7.0R/relnotes.html
See also http://openbsd.org/faq/upgrade41.html (1.2. Operational changes)
The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3

What is your reason for not using 'S/SA keep state' at this rules?

You can disable this with the 'no state' keyword

Regards,
olli

-- 
Psssst! Schon das coole Video vom GMX MultiMessenger gesehen?
Der Eine für Alle: http://www.gmx.net/de/go/messenger03

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080907153151.310630>